UAC-0241UAC-0241

UAC-0241 is a threat actor tracked by CERT-UA, active from May to November 2025, targeting educational institutions and government bodies in eastern Ukraine via spear-phishing emails from compromised Gmail accounts. These emails deliver password-protected ZIP archives with malicious LNK files that trigger an HTA → JavaScript → PowerShell chain, deploying credential harvester LaZagne, file-stealer scripts, and the Go-based GAMYBEAR backdoor for command execution, data exfiltration over HTTP, and persistence via registry Run keys. Initial access stemmed from a May 26 phishing spoofing a local emergency agency, with compromised systems exploited for lateral movement.